Jump to content


Photo

An error has occurred while collecting the Administrator audit log


  • Please log in to reply
11 replies to this topic

#1 netwrixuser3

netwrixuser3

    Member

  • Members
  • PipPip
  • 14 posts

Posted 16 November 2018 - 08:00 AM

Hello everyone, 
 
Since some time Logon activity stopped working, it doesn't show new logon rows. The status of "Logon Activity" source's domain item is always 'Working' in monitoring plan. Only assosiated error in Health Log is: 
 
Source: Active Directory Audit Service
Event ID: 2002
Computer: netwrix.*
User: N/A
Description: Monitoring Plan: Domain 
The following error has occurred while processing '*':   
An error has occurred while collecting the Administrator audit log: The attempt to search the administrator audit log failed. Please try again later.
 
I can't find any information on that. Is it AAL on Exchange? If yes, then why? I have exchange, but why this error pops up for AD and starting from some time? Thanks in advance


#2 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 54 posts
  • Gender:Male

Posted 16 November 2018 - 09:09 AM

Hi there,

 

What is the version of Netwrix Auditor?


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#3 netwrixuser3

netwrixuser3

    Member

  • Members
  • PipPip
  • 14 posts

Posted 16 November 2018 - 10:25 AM

Hi, 9.7, last



#4 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 54 posts
  • Gender:Male

Posted 16 November 2018 - 11:28 AM

I need the logs for investigation, zip the entire:

 

1. "ActiveDirectory" folder at C:\ProgramData\Netwrix Auditor\Logs\

2. "ActiveDirectory" folder at C:\ProgramData\Netwrix Auditor\Logs\Archive\

3. "NwNLASvc" folder at C:\ProgramData\Netwrix Auditor\Logs\DataCollectionCore\

4. "NwNLASvc" folder at C:\ProgramData\Netwrix Auditor\Logs\Archive\DataCollectionCore

5. Configuration.xml, C:\ProgramData\Netwrix Auditor\AuditCore\ConfigServer\

 

Upload files to www.netwrix.com/upload and type " 851324869_KK" in the message field.


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#5 netwrixuser3

netwrixuser3

    Member

  • Members
  • PipPip
  • 14 posts

Posted 16 November 2018 - 11:44 AM

Done, check, pls. Unfortunately (or not?), there were no "NwNLASvc" folder (4th item)



#6 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 54 posts
  • Gender:Male

Posted 16 November 2018 - 03:37 PM

Based on the log a service related to Logon Activity collection is hung, however I could not find a particular reason affecting its operation, the following steps should fix the problem:

 

1. Stop Netwrix Auditor Logon Activity Audit Service

2. Remove "Data" folder at C:\ProgramData\Netwrix Auditor\NLA\, the "Data" folder contains temporary data.

3. Start Netwrix Auditor Logon Activity Audit Service

 

Just in case, how much free disk space do you have on C drive of Netwrix host?


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#7 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 54 posts
  • Gender:Male

Posted 16 November 2018 - 03:39 PM

This is correct, the log is not exceeding the maximum size yet, because if it is reached the logs are moved to archive folder. 

 

Done, check, pls. Unfortunately (or not?), there were no "NwNLASvc" folder (4th item)


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#8 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 54 posts
  • Gender:Male

Posted 16 November 2018 - 03:55 PM

The error stated below is not related to Logon Activity, according to the log, Search-AdminAuditLog cmdlet cannot be performed while getting AAL from Exchange server.

 

In order to identify the reason it should be performed manual access to AAL via powershell and running Search-AdminAuditLog cmdlet to see the original error message from Exchange server.

 

I have checked your account, if it is your company(www.pasha-life.az), you may go ahead and submit ticket via the customer portal(www.netwrix.com) because you have support license expires in September of 2019.

 

Source: Active Directory Audit Service

Event ID: 2002
Computer: netwrix.*
User: N/A
Description: Monitoring Plan: Domain 
The following error has occurred while processing '*':   
An error has occurred while collecting the Administrator audit log: The attempt to search the administrator audit log failed. Please try again later.
 
I can't find any information on that. Is it AAL on Exchange? If yes, then why? I have exchange, but why this error pops up for AD and starting from some time? Thanks in advance

 


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#9 netwrixuser3

netwrixuser3

    Member

  • Members
  • PipPip
  • 14 posts

Posted 19 November 2018 - 07:29 AM

Based on the log a service related to Logon Activity collection is hung, however I could not find a particular reason affecting its operation, the following steps should fix the problem:

 

1. Stop Netwrix Auditor Logon Activity Audit Service

2. Remove "Data" folder at C:\ProgramData\Netwrix Auditor\NLA\, the "Data" folder contains temporary data.

3. Start Netwrix Auditor Logon Activity Audit Service

 

Just in case, how much free disk space do you have on C drive of Netwrix host?

 

 

Gave it a try. Will tell you about result. There is enough space on C for now, at least 30gb. 

 

 

The error stated below is not related to Logon Activity, according to the log, Search-AdminAuditLog cmdlet cannot be performed while getting AAL from Exchange server.

 

In order to identify the reason it should be performed manual access to AAL via powershell and running Search-AdminAuditLog cmdlet to see the original error message from Exchange server.

 

I have checked your account, if it is your company(www.pasha-life.az), you may go ahead and submit ticket via the customer portal(www.netwrix.com) because you have support license expires in September of 2019.

 

 

It doesnt show any error on Exchange machine. Is Netwrix supposed to perform this cmd on Exchange machine if I add entirely domain item to Logon Activity source? 

Yeah, I know about support, if nothing helps, will apply.



#10 netwrixuser3

netwrixuser3

    Member

  • Members
  • PipPip
  • 14 posts

Posted 20 November 2018 - 10:49 AM

Logon Activity source still shows "Working". Error in health log still exists. Very interesting thing, health log indicates that this error belongs to "Domain" source, which has no errors (!) and is marked as success. How? 



#11 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 54 posts
  • Gender:Male

Posted 20 November 2018 - 12:45 PM

The AAL is read by Netwrix Auditor the similar way as described at the following KB https://www.netwrix.com/kb/1624

 

It doesnt show any error on Exchange machine. Is Netwrix supposed to perform this cmd on Exchange machine if I add entirely domain item to Logon Activity source?


Best regards,
Kirill Kirkov
T2 Support Engineer
 

#12 rihuka

rihuka

    Advanced Member

  • Administrators
  • PipPipPip
  • 54 posts
  • Gender:Male

Posted 20 November 2018 - 12:48 PM

You should raise the support ticket, this will take less time for investigation, as Netwrix forum provides support for freeware products and depending on a certain issue it might take a while to figure out what's wrong. 

 

Logon Activity source still shows "Working". Error in health log still exists. Very interesting thing, health log indicates that this error belongs to "Domain" source, which has no errors (!) and is marked as success. How? 


Best regards,
Kirill Kirkov
T2 Support Engineer
 




0 user(s) are reading this topic

0 members, guests, anonymous users